Article By: Eunice Mushawatu
The API Security project focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of APIs. The Top Ten security threats include:
- Broken Object Level Authorization
- Broken Authentication
- Excessive Data Exposure
- Lack of resources and Rate Limiting
- Broken Function Level Authorization
- Mass Assignment
- Security Misconfigurations
- Improper Asset Management
- Insufficient logging and monitoring
According to the API Security project, Injection flaws, such as SQL, NoSQL, Command Injection, etc., occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s malicious data can trick the interpreter into executing unintended commands or accessing data without proper authorization. The Layer7 API gateway is implemented to front-end APIs to provide security by mitigating these and other API vulnerabilities. This post will give guidelines on how to use the Layer7 API gateway resources to mitigate injection attacks.
Perform Proper Input Validation
One of the first security measures policy developers must take is input validation. While not a complete defense, syntactic and semantic validation of are key in reducing the risk of injection.
1. Add the Protect Against JSON Document Structure Threats assertion to the policy for JSON based service. This assertion enforces constraints on the structure of incoming JSON requests and should be applied before any JSON manipulation in the policy.
2. Add the Validate JSON schema assertion, user input is validated against this schema and will fail the request if unexpected data is received. The JSON schema validation vocabulary can be found at http://json-schema.org/draft/2019-09/json-schema-validation.html
3. Alternatively add the Protect Against XML Document Structure Threats assertion to the policy for XML based services.
4. Like the JSON schema validation add the Validate XML Schema assertion to specify the XML schema that will be used to ascertain what a valid XML request must look like.
Protect Against SQL Injection
The most famous form of injection is SQL Injection where an attacker can modify existing database queries. The Layer7 API gateway offers several SQL protections that can be applied to the URL path, the URL query string, or the body of the requests.
1. Add the Protect Against SQL Attacks assertion to your policy. The assertion allows you to select some or all the available SQL protections for either MS SQL server exploits or Oracle exploits.
2. Exercise caution when using the Invasive SQL injection attack protection, while it protects against more SQL injections attacks, it catches many false positives especially when the messages also contain XML.
Protect Against LDAP Injection
LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it’s possible to modify LDAP statements through techniques similar to SQL Injection. LDAP injection attacks could result in the granting of permissions to unauthorized queries, and content modification inside the LDAP tree.
OWASP recommends escaping any untrusted data that is added to any LDAP query. There are two forms of LDAP escaping. Encoding for LDAP Search and Encoding for LDAP DN (distinguished name).
1. To sanitize input for a search filter in the Layer7 API gateway drag and drop the Protect Against Code injection assertion into your policy.
2. Double click the assertion and select the LDAP Search Injection protection and the gateway will block messages that use metacharacters that are typically used to inject code into LDAP search values.
3. When using a DN as a username type credential for accessing protected resources then select the LDAP DN injection protection to block messages that contain metacharacters typically used to inject code into DN values.
Protect Against Code Injection
The layer7 API gateway code injection protection can be applied to the URL path, the URL query string or the body of the message. The Protect Against Code injection assertion has protections for various code injections including LDAP injection, Scripting injection, XPath injection etc.
1. Add the Protect Against Code Injection assertion to your policy
2. Depending on the type of the resource being protected and the types of potential exploits select one or more of the injection protections available.
While the injection vulnerability is very common, and OWASP publishes guidelines to follow to remedy some of the vulnerabilities, developers tend to focus on the functionality of their applications and often security guidelines are overlooked. What we have shown in this guide is that with the Layer7 API gateway security can be added to the APIs at runtime, using the ready-made security assertions and developers can focus on perfecting functionality of their APIs.
Looking for additional help with mitigating security vulnerabilities and security breaches? ISX Consulting is an elite IAM security firm that offers boundless expertise in a range of cybersecurity and business process services, including the Broadcom API gateway and more. Take your interoperability to the next level, and contact an ISX consultant today.